efficient malware detection using model checking
play

Efficient Malware Detection using Model-Checking Tayssir Touili - PowerPoint PPT Presentation

Sep 25, 2022 •508 likes •1.04k views

Efficient Malware Detection using Model-Checking Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of

  1. Efficient Malware Detection using Model-Checking Tayssir Touili LIPN, CNRS & Univ. Paris 13

  2. Motivation: Malware Detection • The number of new malware exceeds 75 million by the end of 2011, and is still increasing. • The number of malware that produced incidents in 2010 is more than 1.5 billion. • The worm MyDoom slowed down global internet access by 10% in 2004. • Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a central computer system used to monitor technical problems in the aircraft was infected with malware

  3. Motivation: Malware Detection • The number of new malware exceeds 75 million by the end of 2011, and is still increasing. • The number of malware that produced incidents in 2010 is more than 1.5 billion. • The worm MyDoom slowed down global internet access by 10% in 2004. • Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a Malware detection is central computer system used to monitor technical problems in the aircraft was infected with malware important!!

  4. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature

  5. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable

  6. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment

  7. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment o Checks program’s behavior only in a limited time interval

  8. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature Solution: o Easy to get around Check the behavior (not the syntax) of o New variants of viruses with the same behavior cannot be detected by the program without executing it these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment o Checks program’s behavior only in a limited time interval

  9. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature Solution: o Easy to get around Check the behavior (not the syntax) of o New variants of viruses with the same behavior cannot be detected by the program without executing it these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment o Checks program’s behavior only in a limited time interval Model Checking is a good candidate

  10. Goal: Model-checking for malware detection

  11. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ?

  12. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Model?

  13. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Model? Specification formalism?

  14. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Model? Specification formalism? Existing works: use finite automata to model the programs

  15. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Model? Specification formalism? Existing works: use finite automata to model the programs Stack?

  16. Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system • Antiviruses determine malware by checking the calls to the operating systems. • Virus writers try to hide these calls.

  17. Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system • Antiviruses determine malware by checking the calls to the operating systems. • Virus writers try to hide these calls. L0 : push L1 L0 : call f L’0: jmp f L1: … L1: … … … … … f : function f f : function f

  18. Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system Important to analyse the program’s • Antiviruses determine malware by checking the calls stack to the operating systems. • Virus writers try to hide these calls. L0 : push L1 L0 : call f L’0: jmp f L1: … L1: … … … … … f : function f f : function f

  19. Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system Important to analyse the program’s • Antiviruses determine malware by checking the calls stack to the operating systems. • Virus writers try to hide these calls. L0 : push L1 Solution: L0 : call f L’0: jmp f Use pushdown systems to model L1: … L1: … programs … … … … f : function f f : function f

  20. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Pushdown Specification Systems formalism?

  21. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Specification Pushdown Systems formalism?

  22. Specification of malicious behaviors? Example: fragment of email worm Avron Call the API GetModuleHandleA mov eax, 0 with 0 as parameter. push eax This returns the entry address of its call GetModuleHandleA own executable. Copy itself to other locations.

  23. Specification of malicious behaviors? Example: fragment of email worm Avron Call the API GetModuleHandleA mov eax, 0 with 0 as parameter. push eax This returns the entry address of its call GetModuleHandleA own executable. Copy itself to other locations. How to describe this specification?

  24. Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0) ˄ EX ( push(eax) ˄ EX call GetModuleHandleA )

  25. Specification of malicious behaviors? Example: fragment of email worm Avron EX p mov eax, 0 p push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0) ˄ EX ( push(eax) ˄ EX call GetModuleHandleA ) EX p : there is a path where p holds at the next state

  26. Specification of malicious behaviors? Example: fragment of email worm Avron EX p mov eax, 0 p push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0) ˄ EX ( push(eax) ˄ EX call GetModuleHandleA ) ˅ mov(ebx,0) ˄ EX ( push(ebx) ˄ EX call GetModuleHandleA ) ˅ mov(ecx,0) ˄ EX ( push(ecx) ˄ EX call GetModuleHandleA ) ˅ … .. all the other registers EX p : there is a path where p holds at the next state

  27. Specification of malicious behaviors? Example: fragment of email worm Avron EX p mov eax, 0 p push eax call GetModuleHandleA Huge! In CTL (Branching-time temporal logic) : mov(eax,0) ˄ EX ( push(eax) ˄ EX call GetModuleHandleA ) ˅ mov(ebx,0) ˄ EX ( push(ebx) ˄ EX call GetModuleHandleA ) ˅ mov(ecx,0) ˄ EX ( push(ecx) ˄ EX call GetModuleHandleA ) ˅ … .. all the other registers EX p : there is a path where p holds at the next state

  28. Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 CTPL = CTL + push eax ∃ , variables + ∀ call GetModuleHandleA In CTL: mov(eax,0) ˄ EX ( push(eax) ˄ EX callGetModuleHandleA ) ˅ mov(ebx,0) ˄ EX ( push(ebx) ˄ EX callGetModuleHandleA ) ˅ mov(ecx,0) ˄ EX ( push(ecx) ˄ EX callGetModuleHandleA ) ˅ … .. all the other registers

  29. Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 CTPL = CTL + push eax ∃ , variables + ∀ call GetModuleHandleA In CTL: mov(eax,0) ˄ EX ( push(eax) ˄ EX callGetModuleHandleA ) ˅ mov(ebx,0) ˄ EX ( push(ebx) ˄ EX callGetModuleHandleA ) ˅ mov(ecx,0) ˄ EX ( push(ecx) ˄ EX callGetModuleHandleA ) ˅ … .. all the other registers In CTPL: ᴲ r ( mov(r,0) ˄ EX ( push(r) ˄ EX call GetModuleHandleA ) )

  30. Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 CTPL = CTL + push eax ∃ , variables + ∀ call GetModuleHandleA In CTL: CTPL cannot describe the stack: mov(eax,0) ˄ EX ( push(eax) ˄ EX callGetModuleHandleA ) ˅ needed for malicious behaviors mov(ebx,0) ˄ EX ( push(ebx) ˄ EX callGetModuleHandleA ) description ˅ mov(ecx,0) ˄ EX ( push(ecx) ˄ EX callGetModuleHandleA ) ˅ … .. all the other registers In CTPL: ᴲ r ( mov(r,0) ˄ EX ( push(r) ˄ EX call GetModuleHandleA ) )

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Towards efficient model checking for variants of ATL under different semantics Wojciech Penczek

Towards efficient model checking for variants of ATL under different semantics Wojciech Penczek

Specification of Strategic Abilities in ATL* Model checking Multi-Valued ATL* Partial order reductions for sATL* Simpler strategies for Timed ATL Conclusions Towards efficient model checking for variants of ATL under different semantics

1.1k views • 88 slides
Effective and Efficient Malware Detection at the End Host Clemens KOLBITSCH, Paolo MILANI

Effective and Efficient Malware Detection at the End Host Clemens KOLBITSCH, Paolo MILANI

Secure Systems Lab Technical University Vienna Effective and Efficient Malware Detection at the End Host Clemens KOLBITSCH, Paolo MILANI COMPARETTI, Engin KIRDA, Christopher KRUEGEL, Xiaoyong ZHOU, XiaoFeng WANG ck@iseclab.org Secure Systems

446 views • 43 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking Checking Checking for Timed Automata Timed Automata Coll C l C ll b llabora orators: t ors: Peter Bulychev, Alexandre David Axel Legay, Marius

725 views • 59 slides
On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of malware that produced

1.34k views • 91 slides
Model checking perhaps the most important part of applied statistical modelling Simon Wood

Model checking perhaps the most important part of applied statistical modelling Simon Wood

Model checking perhaps the most important part of applied statistical modelling Simon Wood Model checking Checking validation! As with detection function, checking is important Want to know the model conforms to assumptions What

524 views • 26 slides
MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert

MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert

MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert Brandon 1 November 2017 2 Malware Detection? Dont AVs do that? Single incidents of malware are now causing millions in damages. Potential

347 views • 19 slides
Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree Logic Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group University of Cambridge

402 views • 25 slides
D&D of malware with exotic C&C D&D = Description & Detection C&C = Command

D&D of malware with exotic C&C D&D = Description & Detection C&C = Command

D&D of malware with exotic C&C D&D = Description & Detection C&C = Command & Control Automotive Consumer Energy & Chemicals Paul Rascagneres - @r00tbsd Eric Leblond - @Regiteric D&D of malware with exotic C&C

781 views • 34 slides
Efficient Probabilistic Model Checking of Systems with Ranged Probabilities Khalil Ghorbal 1 , 2

Efficient Probabilistic Model Checking of Systems with Ranged Probabilities Khalil Ghorbal 1 , 2

Introduction Bounded Properties Unbounded Properties Experiments Efficient Probabilistic Model Checking of Systems with Ranged Probabilities Khalil Ghorbal 1 , 2 Parasara Sridhar Duggirala 1 , 3 c 1 Vineet Kahlon 1 Aarti Gupta 1 Franjo Ivan

400 views • 28 slides
Model Checking Lots of Systems Efficient Verification of Temporal Properties in Software Product

Model Checking Lots of Systems Efficient Verification of Temporal Properties in Software Product

Model Checking Lots of Systems Efficient Verification of Temporal Properties in Software Product Lines Andreas Classen, Patrick Heymans, Pierre-Yves Schobbens, Axel Legay, Jean-Franois Raskin (2010) Presented by Laura Walsh 1 Overview 1.

401 views • 28 slides
Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model

Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model

Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model checking historically not the first symbolic model checking approach scales better than original BDD based techniques mostly incomplete in

521 views • 28 slides
CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms

CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms

CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms for ( U ) Counter Examples and witnesses Symbolic Model Checking (Thursday) Binary Decision Trees

740 views • 40 slides
Hoare Logic and Model Checking Model Checking But perhaps theres a clever way of

Hoare Logic and Model Checking Model Checking But perhaps theres a clever way of

Hoare Logic and Model Checking Model Checking But perhaps theres a clever way of compiling one into the other? Both have very different models of time How do they compare? We have seen two widely used temporal logics Relative

510 views • 10 slides
Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection Liangyi Gong, Zhenhua Li, Feng Qian, Zifan Zhang, Qi Alfred Chen, Zhiyun Qian, Hao Lin, Yunhao Liu Mobile Malware Detection Android App Markets

424 views • 29 slides
Hoare Logic and Model Checking 1. You should be able to model simple systems in NuSMV, an LTL

Hoare Logic and Model Checking 1. You should be able to model simple systems in NuSMV, an LTL

Hoare Logic and Model Checking 1. You should be able to model simple systems in NuSMV, an LTL Other interesting books: Model Checking by Clarke, Grumberg, and Peled Principles of Model Checking by Baier and Katoen 3 Course

636 views • 11 slides
Adiabatic theorems in quantum statistical mechanics and Landauer principle Vojkan Jaksic McGill

Adiabatic theorems in quantum statistical mechanics and Landauer principle Vojkan Jaksic McGill

Adiabatic theorems in quantum statistical mechanics and Landauer principle Vojkan Jaksic McGill University Joint work with T. Benoist, M. Fraas, and C-A. Pillet October 9, 2016 ADIABATIC THEOREMS IN QSM Hilbert space H , dim H < , H

477 views • 9 slides
ECS231 Least-squares problems (Introduction to Randomized Algorithms) May 21, 2019 1 / 12

ECS231 Least-squares problems (Introduction to Randomized Algorithms) May 21, 2019 1 / 12

ECS231 Least-squares problems (Introduction to Randomized Algorithms) May 21, 2019 1 / 12 Outline 1. linear least squares review 2. Solving LS by sampling 3. Solving LS by randomized preconditioning 4. Gradient-based optimization

259 views • 12 slides
Edge universality in interacting 2 d topological insulators Marcello Porta Joint with: G.

Edge universality in interacting 2 d topological insulators Marcello Porta Joint with: G.

Edge universality in interacting 2 d topological insulators Marcello Porta Joint with: G. Antinucci (UZH) and V. Mastropietro (Milan) Summary Introduction: edge transport in noninteracting quantum Hall systems and time-reversal invariant

627 views • 46 slides
HOW TO THINK OF QUANTUM MARKOV MODELS FROM AN ENGINEERING PERSPECTIVE John Gough (Aberystwyth)

HOW TO THINK OF QUANTUM MARKOV MODELS FROM AN ENGINEERING PERSPECTIVE John Gough (Aberystwyth)

HOW TO THINK OF QUANTUM MARKOV MODELS FROM AN ENGINEERING PERSPECTIVE John Gough (Aberystwyth) Mathematics of QIT May 6-10 Lorentz Center Input-Plant-Output Models Plant = System (state variable x ) Laplace domain

729 views • 33 slides
Through Many-Valent Semantics Carolina Blasio IFCH/UNICAMP PhDs in Logic May 3 rd , BOCHUM

Through Many-Valent Semantics Carolina Blasio IFCH/UNICAMP PhDs in Logic May 3 rd , BOCHUM

Through Many-Valent Semantics Carolina Blasio IFCH/UNICAMP PhDs in Logic May 3 rd , BOCHUM Carolina Blasio (IFCH/UNICAMP) Logic and Epistemology 1 / 20 Through Many-Valent Semantics Introduction Carolina Blasio (IFCH/UNICAMP) Logic and

1.69k views • 69 slides
Using sources ANU Academic Skills Workshop coverage Why use academic sources in your work?

Using sources ANU Academic Skills Workshop coverage Why use academic sources in your work?

Using sources ANU Academic Skills Workshop coverage Why use academic sources in your work? How? Ways to legitimately incorporate others ideas Using sources with academic integrity ANU Academic Skills Developing writer stance

751 views • 50 slides
Random Fourier Features for Kernel Ridge Regression Michael Kapralov 1 1 EPFL (Joint work with H.

Random Fourier Features for Kernel Ridge Regression Michael Kapralov 1 1 EPFL (Joint work with H.

Random Fourier Features for Kernel Ridge Regression Michael Kapralov 1 1 EPFL (Joint work with H. Avron, C. Musco, C. Musco, A. Velingker and A. Zandieh) 1 / 43 Scalable machine learning algorithms with provable guarantees In this talk: towards

1.02k views • 87 slides
1. Tristan Benoist (LPT Toulouse) - Heat and work full

1. Tristan Benoist (LPT Toulouse) - Heat and work full

1. Tristan Benoist (LPT Toulouse) - Heat and work full counting statistics in the adiabatic limit Introductory lectures on classical thermodynamics deal

749 views • 3 slides

More recommend